Particle.news
Download on the App Store

Silver Fox Uses Trusted Windows Drivers to Deliver ValleyRAT and Evade Blocklists

Check Point says attackers sidestep hash defenses by tweaking unauthenticated signature timestamps to keep signatures valid.

Overview

  • Check Point Research attributes the campaign to Silver Fox, which abused a Microsoft‑signed WatchDog driver (amsdk.sys v1.0.600) to terminate security tools and clear the way for ValleyRAT.
  • After WatchDog issued a patched driver, operators changed a single byte in the unauthenticated timestamp to generate a new hash without invalidating the signature, bypassing hash‑based blocklists.
  • The self‑contained loader includes anti‑analysis checks, persistence, two embedded drivers and a downloader, and it is configured to kill nearly 200 processes tied to antivirus and EDR tools.
  • An older Zemana‑based driver was bundled to support systems from Windows 7 through Windows 11, broadening reach across legacy and modern environments.
  • CPR traced command‑and‑control servers to China and noted targeting of security products popular in East Asia, and it advises using Microsoft’s driver blocklist with YARA and behavior‑based monitoring as arbitrary process termination risks persist.